A subject-matter expert has said that "there is effectively no enforcement" of the Data Protection Act, and suggested that corporate data losses or breaches are even more prevalent than in the public sector.
Andrew Sharpe, partner at London law firm Charles Russell, practices in the field of technology and telecoms law. He also …

COMMENTS

Icon required

The DPA *is* enforced...

...it's just that on the whole it's a pretty wimpy and crap law.

The EC have written to UK.gov to point out that the DPA does not fulfil the requirements of the original directive 95/46. The fundamental principles are intact, but the language is ambiguous leading to questionable interpretations and precedents (Durant v FSA), and no two DP lawyers can ever agree on how best to make sense of it.

It has piss poor sanctions attached to it and prosecutions are rare and toothless. Clive Goodman got four months for s55 offences.

The ICO desperately needs better teeth but ends up playing lackey to BERR and the DTI - we'd not want to upset those nice businessmen, even if their information governance is non-existent. A call to the ICO helpline confirmed that if you complain of a DPA breach, they'll perform a softly-softly investigation, pretty much take everything at face value (no data forensics), and that is literally that. No further action.

Compare us to the Spanish, where breaches of their DP laws carry €millions+ fines for first offences... deterrent is much better than cure.

Hmm...

The same everywhere

I live temporarily in Denmark and I experienced the same thing with a bank here. They had experienced a data loss that they didn't disclose. I found out about it by accident. They sent out an email saying they had detected 'customers with malware'. After a long phone conversation with some morons there, they admitted that some of their customer data had been discovered for sale on some Russian server. Companies go out of their way to make sure you don't know what's happened to your data and there should be severe penalties handed out for a data breach that can be proven that the company knew about it and didn't disclose it. The UK has a piss poor record on enforcing anything. We've bugger all chance of getting them to do anything about this.

Simple

So lets say a company loses 100 names, addresses and D.o.Bs. Not a lot of data, 48kb or so if plain text.

Criticality factor? High. On a scale of 1 to 100, I'd say 75. Deffo possible to use social engineering to gain control of an ID. If the data had been encrypted, the criticality factor could be reduced.

Encryption factor, 1. There was no encryption.

Let's say this is a first offence (maybe these need to expire after a time)

Base fine per kb? Oh, let's say £10 for fun.

Total fine in this case? 48 * (75/1) * 1 * 10 = £36,000

Remember, first offence and for not a lot of data.

What if this had been one of the more typical breaches we see? 2,000 names and a A LOT more information (say 2880kb). Still unencrypted.

2880 * (90/1) * 1 * 10 = £2,592,000 *ouch* For a first offence!

But wait, turns out the company wasn't that dumb and the data *was* encrypted. Strongly too (not just a passworded ZIP)

2880 * (90/90) * 1 * 10 = £28,800 Enough to make people think, but not so much that the company gets seriously hurt.

And so on. Such a simple mechanical system means companies basically set their own penalties by either taking protection seriously or by not. Their choice.

@ Steen Hive

How very true

In fact this happened to myself . A Public Body unlawfully disclosed data. The Data Protection Commissioner decided UNILATERALLY with the Public Body that they would not investigate until the Public Body said that they wanted them to !. Everything in this Country is an illusion to keep 99.9% of the population who don't ever need "it" happy that their tax monies are going to useful

causes, and the .1% find they are stuffed when they come to use "it" . It can be anything from

Private sector get off lightly - for now...

a) that there is a growing trend for private sector to lose data now as compared to prevalence of public sector up to now

b) a reminder that a lot of govt data handling is outsourced - eg: HMRC, NHS

c) a reminder that at present there is NO obligation on private sector to report losses of data and every incentive for them to remain shtum

d) a reminder that ICO currently has NO powers to require audit of private organisations/corporations

so - up to now - if private companies lost data, and no one "noticed" outside the organisation, they have a real incentive to just cover it up. And if they DO cover it up the ICO has no power to investigate their systems or require an audit. He can only issue an assessment if someone else complains and has evidence of the loss.

See follow up to the DPO conference and a report on how we got on there making representations about Phorm and BT's own data leaks and snooping, by going to this thread - our report will be up soon.

https://nodpi.org/forum/index.php/topic,541.msg9294.html#msg9294

Proposals currently going through in s8 of Coroners and Justice Bill (yes that one) to give increased powers to ICO to enforce audits in private sector.

@Martin

MOST laws are not properly enforced.

It is a criminal offence for a mail order seller to state they are not responsible for loss or damage in transit -- because they ARE responsible in law, and misrepresenting their responsibility is misrepresentation, which is also the law.

Search for "I am not responsible" on ebay and you will find hundreds of business sellers doing just that.

It would be just a few seconds work for Trading Standards to find them and prosecute them. But no, they can't be bothered. And thus a well-meaning law has become all but worthless.